status-im/BearSSL
2
0
Fork 0
mirror of https://github.com/status-im/BearSSL.git synced 2025-02-23 16:08:10 +00:00
Code Issues Projects Releases Wiki Activity

Added seeder API. Also overhauled compile-time detection of features.

Browse Source
This commit is contained in:
Thomas Pornin 2017-08-28 16:37:30 +02:00
parent 5b980fb625
commit af9c79a071
22 changed files with 1183 additions and 399 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
inc/bearssl.h
View File

@ -135,4 +135,34 @@
#include "bearssl_x509.h"
#include "bearssl_pem.h"
/** \brief Type for a configuration option.
*
* A "configuration option" is a value that is selected when the BearSSL
* library itself is compiled. Most options are boolean; their value is
* then either 1 (option is enabled) or 0 (option is disabled). Some
* values have other integer values. Option names correspond to macro
* names. Some of the options can be explicitly set in the internal
* `"config.h"` file.
*/
typedef struct {
/** \brief Configurable option name. */
const char *name;
/** \brief Configurable option value. */
long value;
} br_config_option;
/** \brief Get configuration report.
*
* This function returns compiled configuration options, each as a
* 'long' value. Names match internal macro names, in particular those
* that can be set in the `"config.h"` inner file. For boolean options,
* the numerical value is 1 if enabled, 0 if disabled. For maximum
* key sizes, values are expressed in bits.
*
* The returned array is terminated by an entry whose `name` is `NULL`.
*
* \return the configuration report.
*/
const br_config_option *br_get_config(void);
#endif

35
inc/bearssl_rand.h
View File

@ -253,6 +253,41 @@ br_hmac_drbg_get_hash(const br_hmac_drbg_context *ctx)
return ctx->digest_class;
}
/**
* \brief Type for a provider of entropy seeds.
*
* A "seeder" is a function that is able to obtain random values from
* some source and inject them as entropy seed in a PRNG. A seeder
* shall guarantee that the total entropy of the injected seed is large
* enough to seed a PRNG for purposes of cryptographic key generation
* (i.e. at least 128 bits).
*
* A seeder may report a failure to obtain adequate entropy. Seeders
* shall endeavour to fix themselves transient errors by trying again;
* thus, callers may consider reported errors as permanent.
*
* \param ctx PRNG context to seed.
* \return 1 on success, 0 on error.
*/
typedef int (*br_prng_seeder)(const br_prng_class **ctx);
/**
* \brief Get a seeder backed by the operating system or hardware.
*
* Get a seeder that feeds on RNG facilities provided by the current
* operating system or hardware. If no such facility is known, then 0
* is returned.
*
* If `name` is not `NULL`, then `*name` is set to a symbolic string
* that identifies the seeder implemention. If no seeder is returned
* and `name` is not `NULL`, then `*name` is set to a pointer to the
* constant string `"none"`.
*
* \param name receiver for seeder name, or `NULL`.
* \return the system seeder, if available, or 0.
*/
br_prng_seeder br_prng_seeder_system(const char **name);
#ifdef __cplusplus
}
#endif

8
inc/bearssl_ssl.h
View File

@ -833,6 +833,14 @@ typedef struct {
/*
* Context RNG.
*
* rng_init_done is initially 0. It is set to 1 when the
* basic structure of the RNG is set, and 2 when some
* entropy has been pushed in. The value 2 marks the RNG
* as "properly seeded".
*
* rng_os_rand_done is initially 0. It is set to 1 when
* some seeding from the OS or hardware has been attempted.
*/
br_hmac_drbg_context rng;
int rng_init_done;

13
mk/Rules.mk
View File

File diff suppressed because one or more lines are too long

3
mk/mkrules.sh
View File

@ -49,6 +49,7 @@ set -e
# Source files. Please keep in alphabetical order.
coresrc=" \
src/settings.c \
src/aead/gcm.c \
src/codec/ccopy.c \
src/codec/dec16be.c \
@ -165,6 +166,7 @@ coresrc=" \
src/mac/hmac.c \
src/mac/hmac_ct.c \
src/rand/hmac_drbg.c \
src/rand/sysrng.c \
src/rsa/rsa_default_pkcs1_sign.c \
src/rsa/rsa_default_pkcs1_vrfy.c \
src/rsa/rsa_default_priv.c \
@ -284,6 +286,7 @@ toolssrc=" \
tools/client.c \
tools/errors.c \
tools/files.c \
tools/impl.c \
tools/keys.c \
tools/names.c \
tools/server.c \

11
src/config.h
View File

@ -98,6 +98,17 @@
#define BR_NO_ARITH_SHIFT 1
*/
/*
* When BR_RDRAND is enabled, the SSL engine will use the RDRAND opcode
* to automatically obtain quality randomness for seeding its internal
* PRNG. Since that opcode is present only in recent x86 CPU, its
* support is dynamically tested; if the current CPU does not support
* it, then another random source will be used, such as /dev/urandom or
* CryptGenRandom().
*
#define BR_RDRAND 1
*/
/*
* When BR_USE_URANDOM is enabled, the SSL engine will use /dev/urandom
* to automatically obtain quality randomness for seedings its internal

200
src/hash/ghash_pclmul.c
View File

@ -22,6 +22,7 @@
* SOFTWARE.
*/
#define BR_ENABLE_INTRINSICS 1
#include "inner.h"
/*
@ -31,20 +32,27 @@
#if BR_AES_X86NI
#if BR_AES_X86NI_GCC
#if BR_AES_X86NI_GCC_OLD
#pragma GCC push_options
#pragma GCC target("sse2,ssse3,pclmul")
#pragma GCC diagnostic ignored "-Wpsabi"
#endif
#include <tmmintrin.h>
#include <wmmintrin.h>
#include <cpuid.h>
#endif
/*
* Test CPU support for PCLMULQDQ.
*/
static inline int
pclmul_supported(void)
{
/*
* Bit mask for features in ECX:
* 1 PCLMULQDQ support
*/
return br_cpuid(0, 0, 0x00000002, 0);
}
#if BR_AES_X86NI_MSC
#include <intrin.h>
#endif
/* see bearssl_hash.h */
br_ghash
br_ghash_pclmul_get(void)
{
return pclmul_supported() ? &br_ghash_pclmul : 0;
}
BR_TARGETS_X86_UP
/*
* GHASH is defined over elements of GF(2^128) with "full little-endian"
@ -73,6 +81,66 @@
* chunks. We number chunks from 0 to 3 in left to right order.
*/
/*
* Byte-swap a complete 128-bit value. This normally uses
* _mm_shuffle_epi8(), which gets translated to pshufb (an SSSE3 opcode).
* However, this crashes old Clang versions, so, for Clang before 3.8,
* we use an alternate (and less efficient) version.
*/
#if BR_CLANG && !BR_CLANG_3_8
#define BYTESWAP_DECL
#define BYTESWAP_PREP (void)0
#define BYTESWAP(x) do { \
__m128i byteswap1, byteswap2; \
byteswap1 = (x); \
byteswap2 = _mm_srli_epi16(byteswap1, 8); \
byteswap1 = _mm_slli_epi16(byteswap1, 8); \
byteswap1 = _mm_or_si128(byteswap1, byteswap2); \
byteswap1 = _mm_shufflelo_epi16(byteswap1, 0x1B); \
byteswap1 = _mm_shufflehi_epi16(byteswap1, 0x1B); \
(x) = _mm_shuffle_epi32(byteswap1, 0x4E); \
} while (0)
#else
#define BYTESWAP_DECL __m128i byteswap_index;
#define BYTESWAP_PREP do { \
byteswap_index = _mm_set_epi8( \
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15); \
} while (0)
#define BYTESWAP(x) do { \
(x) = _mm_shuffle_epi8((x), byteswap_index); \
} while (0)
#endif
/*
* Call pclmulqdq. Clang appears to have trouble with the intrinsic, so,
* for that compiler, we use inline assembly. Inline assembly is
* potentially a bit slower because the compiler does not understand
* what the opcode does, and thus cannot optimize instruction
* scheduling.
*
* We use a target of "sse2" only, so that Clang may still handle the
* '__m128i' type and allocate SSE2 registers.
*/
#if BR_CLANG
BR_TARGET("sse2")
static inline __m128i
pclmulqdq00(__m128i x, __m128i y)
{
__asm__ ("pclmulqdq $0x00, %1, %0" : "+x" (x) : "x" (y));
return x;
}
BR_TARGET("sse2")
static inline __m128i
pclmulqdq11(__m128i x, __m128i y)
{
__asm__ ("pclmulqdq $0x11, %1, %0" : "+x" (x) : "x" (y));
return x;
}
#else
#define pclmulqdq00(x, y) _mm_clmulepi64_si128(x, y, 0x00)
#define pclmulqdq11(x, y) _mm_clmulepi64_si128(x, y, 0x11)
#endif
/*
* From a 128-bit value kw, compute kx as the XOR of the two 64-bit
* halves of kw (into the right half of kx; left half is unspecified).
@ -150,8 +218,8 @@
*/
#define SQUARE_F128(kw, dw, dx) do { \
__m128i z0, z1, z2, z3; \
z1 = _mm_clmulepi64_si128(kw, kw, 0x11); \
z3 = _mm_clmulepi64_si128(kw, kw, 0x00); \
z1 = pclmulqdq11(kw, kw); \
z3 = pclmulqdq00(kw, kw); \
z0 = _mm_shuffle_epi32(z1, 0x0E); \
z2 = _mm_shuffle_epi32(z3, 0x0E); \
SL_256(z0, z1, z2, z3); \
@ -168,7 +236,7 @@ br_ghash_pclmul(void *y, const void *h, const void *data, size_t len)
unsigned char tmp[64];
size_t num4, num1;
__m128i yw, h1w, h1x;
__m128i byteswap_index;
BYTESWAP_DECL
/*
* We split data into two chunks. First chunk starts at buf1
@ -188,18 +256,17 @@ br_ghash_pclmul(void *y, const void *h, const void *data, size_t len)
}
/*
* Constant value to perform endian conversion.
* Preparatory step for endian conversions.
*/
byteswap_index = _mm_set_epi8(
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15);
BYTESWAP_PREP;
/*
* Load y and h.
*/
yw = _mm_loadu_si128(y);
h1w = _mm_loadu_si128(h);
yw = _mm_shuffle_epi8(yw, byteswap_index);
h1w = _mm_shuffle_epi8(h1w, byteswap_index);
BYTESWAP(yw);
BYTESWAP(h1w);
BK(h1w, h1x);
if (num4 > 0) {
@ -214,9 +281,9 @@ br_ghash_pclmul(void *y, const void *h, const void *data, size_t len)
/*
* Compute h3 = h^3 = h*(h^2).
*/
t1 = _mm_clmulepi64_si128(h1w, h2w, 0x11);
t3 = _mm_clmulepi64_si128(h1w, h2w, 0x00);
t2 = _mm_xor_si128(_mm_clmulepi64_si128(h1x, h2x, 0x00),
t1 = pclmulqdq11(h1w, h2w);
t3 = pclmulqdq00(h1w, h2w);
t2 = _mm_xor_si128(pclmulqdq00(h1x, h2x),
_mm_xor_si128(t1, t3));
t0 = _mm_shuffle_epi32(t1, 0x0E);
t1 = _mm_xor_si128(t1, _mm_shuffle_epi32(t2, 0x0E));
@ -238,10 +305,10 @@ br_ghash_pclmul(void *y, const void *h, const void *data, size_t len)
aw1 = _mm_loadu_si128((void *)(buf1 + 16));
aw2 = _mm_loadu_si128((void *)(buf1 + 32));
aw3 = _mm_loadu_si128((void *)(buf1 + 48));
aw0 = _mm_shuffle_epi8(aw0, byteswap_index);
aw1 = _mm_shuffle_epi8(aw1, byteswap_index);
aw2 = _mm_shuffle_epi8(aw2, byteswap_index);
aw3 = _mm_shuffle_epi8(aw3, byteswap_index);
BYTESWAP(aw0);
BYTESWAP(aw1);
BYTESWAP(aw2);
BYTESWAP(aw3);
buf1 += 64;
aw0 = _mm_xor_si128(aw0, yw);
@ -252,25 +319,25 @@ br_ghash_pclmul(void *y, const void *h, const void *data, size_t len)
t1 = _mm_xor_si128(
_mm_xor_si128(
_mm_clmulepi64_si128(aw0, h4w, 0x11),
_mm_clmulepi64_si128(aw1, h3w, 0x11)),
pclmulqdq11(aw0, h4w),
pclmulqdq11(aw1, h3w)),
_mm_xor_si128(
_mm_clmulepi64_si128(aw2, h2w, 0x11),
_mm_clmulepi64_si128(aw3, h1w, 0x11)));
pclmulqdq11(aw2, h2w),
pclmulqdq11(aw3, h1w)));
t3 = _mm_xor_si128(
_mm_xor_si128(
_mm_clmulepi64_si128(aw0, h4w, 0x00),
_mm_clmulepi64_si128(aw1, h3w, 0x00)),
pclmulqdq00(aw0, h4w),
pclmulqdq00(aw1, h3w)),
_mm_xor_si128(
_mm_clmulepi64_si128(aw2, h2w, 0x00),
_mm_clmulepi64_si128(aw3, h1w, 0x00)));
pclmulqdq00(aw2, h2w),
pclmulqdq00(aw3, h1w)));
t2 = _mm_xor_si128(
_mm_xor_si128(
_mm_clmulepi64_si128(ax0, h4x, 0x00),
_mm_clmulepi64_si128(ax1, h3x, 0x00)),
pclmulqdq00(ax0, h4x),
pclmulqdq00(ax1, h3x)),
_mm_xor_si128(
_mm_clmulepi64_si128(ax2, h2x, 0x00),
_mm_clmulepi64_si128(ax3, h1x, 0x00)));
pclmulqdq00(ax2, h2x),
pclmulqdq00(ax3, h1x)));
t2 = _mm_xor_si128(t2, _mm_xor_si128(t1, t3));
t0 = _mm_shuffle_epi32(t1, 0x0E);
t1 = _mm_xor_si128(t1, _mm_shuffle_epi32(t2, 0x0E));
@ -286,15 +353,15 @@ br_ghash_pclmul(void *y, const void *h, const void *data, size_t len)
__m128i t0, t1, t2, t3;
aw = _mm_loadu_si128((void *)buf2);
aw = _mm_shuffle_epi8(aw, byteswap_index);
BYTESWAP(aw);
buf2 += 16;
aw = _mm_xor_si128(aw, yw);
BK(aw, ax);
t1 = _mm_clmulepi64_si128(aw, h1w, 0x11);
t3 = _mm_clmulepi64_si128(aw, h1w, 0x00);
t2 = _mm_clmulepi64_si128(ax, h1x, 0x00);
t1 = pclmulqdq11(aw, h1w);
t3 = pclmulqdq00(aw, h1w);
t2 = pclmulqdq00(ax, h1x);
t2 = _mm_xor_si128(t2, _mm_xor_si128(t1, t3));
t0 = _mm_shuffle_epi32(t1, 0x0E);
t1 = _mm_xor_si128(t1, _mm_shuffle_epi32(t2, 0x0E));
@ -304,52 +371,11 @@ br_ghash_pclmul(void *y, const void *h, const void *data, size_t len)
yw = _mm_unpacklo_epi64(t1, t0);
}
yw = _mm_shuffle_epi8(yw, byteswap_index);
BYTESWAP(yw);
_mm_storeu_si128(y, yw);
}
/*
* Test CPU support for PCLMULQDQ.
*/
static int
pclmul_supported(void)
{
/*
* Bit mask for features in ECX:
* 1 PCLMULQDQ support
*/
#define MASK 0x00000002
#if BR_AES_X86NI_GCC
unsigned eax, ebx, ecx, edx;
if (__get_cpuid(1, &eax, &ebx, &ecx, &edx)) {
return (ecx & MASK) == MASK;
} else {
return 0;
}
#elif BR_AES_X86NI_MSC
int info[4];
__cpuid(info, 1);
return ((uint32_t)info[2] & MASK) == MASK;
#else
return 0;
#endif
#undef MASK
}
/* see bearssl_hash.h */
br_ghash
br_ghash_pclmul_get(void)
{
return pclmul_supported() ? &br_ghash_pclmul : 0;
}
#if BR_AES_X86NI_GCC && BR_AES_X86NI_GCC_OLD
#pragma GCC pop_options
#endif
BR_TARGETS_X86_DOWN
#else

349
src/inner.h
View File

@ -109,97 +109,212 @@
* Set BR_LOMUL on platforms where it makes sense.
*/
#ifndef BR_LOMUL
#if BR_ARMEL_CORTEX_GCC
#if BR_ARMEL_CORTEXM_GCC
#define BR_LOMUL 1
#endif
#endif
/*
* Determine whether x86 AES instructions are understood by the compiler.
* Architecture detection.
*/
#ifndef BR_AES_X86NI
#if (__i386__ || __x86_64__) \
&& ((__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 8)) \
|| (__clang_major__ > 3 \
|| (__clang_major__ == 3 && __clang_minor__ >= 7)))
#define BR_AES_X86NI 1
#elif (_M_IX86 || _M_X64) && (_MSC_VER >= 1700)
#define BR_AES_X86NI 1
#ifndef BR_i386
#if __i386__ || _M_IX86
#define BR_i386 1
#endif
#endif
#ifndef BR_amd64
#if __x86_64__ || _M_X64
#define BR_amd64 1
#endif
#endif
/*
* If we use x86 AES instruction, determine the compiler brand.
* Compiler brand and version.
*
* Implementations that use intrinsics need to detect the compiler type
* and version because some specific actions may be needed to activate
* the corresponding opcodes, both for header inclusion, and when using
* them in a function.
*
* BR_GCC, BR_CLANG and BR_MSC will be set to 1 for, respectively, GCC,
* Clang and MS Visual C. For each of them, sub-macros will be defined
* for versions; each sub-macro is set whenever the compiler version is
* at least as recent as the one corresponding to the macro.
*/
#if BR_AES_X86NI
#ifndef BR_AES_X86NI_GCC
#if __GNUC__
#define BR_AES_X86NI_GCC 1
/*
* GCC thresholds are on versions 4.4 to 4.9 and 5.0.
*/
#ifndef BR_GCC
#if __GNUC__ && !__clang__
#define BR_GCC 1
#if __GNUC__ > 4
#define BR_GCC_5_0 1
#elif __GNUC__ == 4 && __GNUC_MINOR__ >= 9
#define BR_GCC_4_9 1
#elif __GNUC__ == 4 && __GNUC_MINOR__ >= 8
#define BR_GCC_4_8 1
#elif __GNUC__ == 4 && __GNUC_MINOR__ >= 7
#define BR_GCC_4_7 1
#elif __GNUC__ == 4 && __GNUC_MINOR__ >= 6
#define BR_GCC_4_6 1
#elif __GNUC__ == 4 && __GNUC_MINOR__ >= 5
#define BR_GCC_4_5 1
#elif __GNUC__ == 4 && __GNUC_MINOR__ >= 4
#define BR_GCC_4_4 1
#endif
#if BR_GCC_5_0
#define BR_GCC_4_9 1
#endif
#ifndef BR_AES_X86NI_MSC
#if _MSC_VER >= 1700
#define BR_AES_X86NI_MSC 1
#if BR_GCC_4_9
#define BR_GCC_4_8 1
#endif
#if BR_GCC_4_8
#define BR_GCC_4_7 1
#endif
#if BR_GCC_4_7
#define BR_GCC_4_6 1
#endif
#if BR_GCC_4_6
#define BR_GCC_4_5 1
#endif
#if BR_GCC_4_5
#define BR_GCC_4_4 1
#endif
#endif
#endif
/*
* Determine whether SSE2 intrinsics are understood by the compiler.
* Right now, we restrict ourselves to compiler versions where things
* are documented to work well:
* -- GCC 4.4+ and Clang 3.7+ understand the function attribute "target"
* -- MS Visual Studio 2005 documents the existence of <emmintrin.h>
* SSE2-powered code _might_ work with older versions, but there is no
* pressing need to do so right now.
* Clang thresholds are on versions 3.7.0 and 3.8.0.
*/
#ifndef BR_SSE2
#if (__i386__ || __x86_64__) \
&& ((__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 4)) \
|| (__clang_major__ > 3 \
|| (__clang_major__ == 3 && __clang_minor__ >= 7)))
#define BR_SSE2 1
#elif (_M_IX86 || _M_X64) && (_MSC_VER >= 1400)
#define BR_SSE2 1
#ifndef BR_CLANG
#if __clang__
#define BR_CLANG 1
#if __clang_major__ > 3 || (__clang_major__ == 3 && __clang_minor__ >= 8)
#define BR_CLANG_3_8 1
#elif __clang_major__ == 3 && __clang_minor__ >= 7
#define BR_CLANG_3_7 1
#endif
#if BR_CLANG_3_8
#define BR_CLANG_3_7 1
#endif
#endif
#endif
/*
* If we use SSE2 intrinsics, determine the compiler brand.
* MS Visual C thresholds are on Visual Studio 2005 to 2015.
*/
#if BR_SSE2
#ifndef BR_SSE2_GCC
#if __GNUC__
#define BR_SSE2_GCC 1
#ifndef BR_MSC
#if _MSC_VER
#define BR_MSC 1
#if _MSC_VER >= 1900
#define BR_MSC_2015 1
#elif _MSC_VER >= 1800
#define BR_MSC_2013 1
#elif _MSC_VER >= 1700
#define BR_MSC_2012 1
#elif _MSC_VER >= 1600
#define BR_MSC_2010 1
#elif _MSC_VER >= 1500
#define BR_MSC_2008 1
#elif _MSC_VER >= 1400
#define BR_MSC_2005 1
#endif
#if BR_MSC_2015
#define BR_MSC_2013 1
#endif
#ifndef BR_SSE2_MSC
#if _MSC_VER >= 1400
#define BR_SSE2_MSC 1
#if BR_MSC_2013
#define BR_MSC_2012 1
#endif
#if BR_MSC_2012
#define BR_MSC_2010 1
#endif
#if BR_MSC_2010
#define BR_MSC_2008 1
#endif
#if BR_MSC_2008
#define BR_MSC_2005 1
#endif
#endif
#endif
/*
* A macro to tag a function with a "target" attribute (for GCC and Clang).
* GCC 4.4+ and Clang 3.7+ allow tagging specific functions with a
* 'target' attribute that activates support for specific opcodes.
*/
#if BR_AES_X86NI_GCC || BR_SSE2_GCC
#if BR_GCC_4_4 || BR_CLANG_3_7
#define BR_TARGET(x) __attribute__((target(x)))
#else
#define BR_TARGET(x)
#endif
/*
* GCC versions from 4.4 to 4.8 (inclusive) must use a special #pragma
* to activate extra opcodes before including the relevant intrinsic
* AES-NI headers. But these don't work with Clang (which does not need
* them either). We also need that #pragma for GCC 4.9 in order to work
* around a compiler bug (it tends to blow up on ghash_pclmul code
* otherwise).
* AES-NI intrinsics are available on x86 (32-bit and 64-bit) with
* GCC 4.8+, Clang 3.7+ and MSC 2012+.
*/
#if BR_AES_X86NI_GCC && !defined BR_AES_X86NI_GCC_OLD
#if __GNUC__ == 4 && __GNUC_MINOR__ >= 4 && __GNUC_MINOR__ <= 9 && !__clang__
#define BR_AES_X86NI_GCC_OLD 1
#ifndef BR_AES_X86NI
#if (BR_i386 || BR_amd64) && (BR_GCC_4_8 || BR_CLANG_3_7 || BR_MSC_2012)
#define BR_AES_X86NI 1
#endif
#endif
/*
* SSE2 intrinsics are available on x86 (32-bit and 64-bit) with
* GCC 4.4+, Clang 3.7+ and MSC 2005+.
*/
#ifndef BR_SSE2
#if (BR_i386 || BR_amd64) && (BR_GCC_4_4 || BR_CLANG_3_7 || BR_MSC_2005)
#define BR_SSE2 1
#endif
#endif
/*
* RDRAND intrinsics are available on x86 (32-bit and 64-bit) with
* GCC 4.6+, Clang 3.7+ and MSC 2012+.
*/
#ifndef BR_RDRAND
#if (BR_i386 || BR_amd64) && (BR_GCC_4_6 || BR_CLANG_3_7 || BR_MSC_2012)
#define BR_RDRAND 1
#endif
#endif
/*
* Determine type of OS for random number generation. Macro names and
* values are documented on:
* https://sourceforge.net/p/predef/wiki/OperatingSystems/
*
* TODO: enrich the list of detected system. Also add detection for
* alternate system calls like getentropy(), which are usually
* preferable when available.
*/
#ifndef BR_USE_URANDOM
#if defined _AIX \
|| defined __ANDROID__ \
|| defined __FreeBSD__ \
|| defined __NetBSD__ \
|| defined __OpenBSD__ \
|| defined __DragonFly__ \
|| defined __linux__ \
|| (defined __sun && (defined __SVR4 || defined __svr4__)) \
|| (defined __APPLE__ && defined __MACH__)
#define BR_USE_URANDOM 1
#endif
#endif
#ifndef BR_USE_WIN32_RAND
#if defined _WIN32 || defined _WIN64
#define BR_USE_WIN32_RAND 1
#endif
#endif
@ -281,6 +396,24 @@
#endif
/*
* Detect support for an OS-provided time source.
*/
#ifndef BR_USE_UNIX_TIME
#if defined __unix__ || defined __linux__ \
|| defined _POSIX_SOURCE || defined _POSIX_C_SOURCE \
|| (defined __APPLE__ && defined __MACH__)
#define BR_USE_UNIX_TIME 1
#endif
#endif
#ifndef BR_USE_WIN32_TIME
#if defined _WIN32 || defined _WIN64
#define BR_USE_WIN32_TIME 1
#endif
#endif
/* ==================================================================== */
/*
* Encoding/decoding functions.
@ -2087,6 +2220,118 @@ int br_ssl_choose_hash(unsigned bf);
#endif
/* ==================================================================== */
/*
* Special "activate intrinsics" code, needed for some compiler versions.
* This is defined at the end of this file, so that it won't impact any
* of the inline functions defined previously; and it is controlled by
* a specific macro defined in the caller code.
*
* Calling code conventions:
*
* - Caller must define BR_ENABLE_INTRINSICS before including "inner.h".
* - Functions that use intrinsics must be enclosed in an "enabled"
* region (between BR_TARGETS_X86_UP and BR_TARGETS_X86_DOWN).
* - Functions that use intrinsics must be tagged with the appropriate
* BR_TARGET().
*/
#if BR_ENABLE_INTRINSICS && (BR_GCC_4_4 || BR_CLANG_3_7 || BR_MSC_2005)
/*
* x86 intrinsics (both 32-bit and 64-bit).
*/
#if BR_i386 || BR_amd64
#if BR_GCC && !BR_GCC_5_0
#if BR_GCC_4_6
#define BR_TARGETS_X86_UP \
_Pragma("GCC push_options") \
_Pragma("GCC target(\"sse2,ssse3,sse4.1,aes,pclmul,rdrnd\")")
#else
#define BR_TARGETS_X86_UP \
_Pragma("GCC push_options") \
_Pragma("GCC target(\"sse2,ssse3,sse4.1,aes,pclmul\")")
#endif
#define BR_TARGETS_X86_DOWN \
_Pragma("GCC pop_options")
#pragma GCC diagnostic ignored "-Wpsabi"
#endif
#if BR_CLANG && !BR_CLANG_3_8
#undef __SSE2__
#undef __SSE3__
#undef __SSSE3__
#undef __SSE4_1__
#undef __AES__
#undef __PCLMUL__
#undef __RDRND__
#define __SSE2__ 1
#define __SSE3__ 1
#define __SSSE3__ 1
#define __SSE4_1__ 1
#define __AES__ 1
#define __PCLMUL__ 1
#define __RDRND__ 1
#endif
#ifndef BR_TARGETS_X86_UP
#define BR_TARGETS_X86_UP
#endif
#ifndef BR_TARGETS_X86_DOWN
#define BR_TARGETS_X86_DOWN
#endif
#if BR_GCC || BR_CLANG
BR_TARGETS_X86_UP
#include <x86intrin.h>
#include <cpuid.h>
#define bswap32 __builtin_bswap32
BR_TARGETS_X86_DOWN
#endif
#if BR_MSC
#include <stdlib.h>
#include <intrin.h>
#include <immintrin.h>
#define bswap32 _byteswap_ulong
#endif
static inline int
br_cpuid(uint32_t mask_eax, uint32_t mask_ebx,
uint32_t mask_ecx, uint32_t mask_edx)
{
#if BR_GCC || BR_CLANG
unsigned eax, ebx, ecx, edx;
if (__get_cpuid(1, &eax, &ebx, &ecx, &edx)) {
if ((eax & mask_eax) == mask_eax
&& (ebx & mask_ebx) == mask_ebx
&& (ecx & mask_ecx) == mask_ecx
&& (edx & mask_edx) == mask_edx)
{
return 1;
}
}
#elif BR_MSC
int info[4];
__cpuid(info, 1);
if (((uint32_t)info[0] & mask_eax) == mask_eax
&& ((uint32_t)info[1] & mask_ebx) == mask_ebx
&& ((uint32_t)info[2] & mask_ecx) == mask_ecx
&& ((uint32_t)info[3] & mask_edx) == mask_edx)
{
return 1;
}
#endif
return 0;
}
#endif
#endif
/* ==================================================================== */
#endif

169
src/rand/sysrng.c Normal file
View File

@ -0,0 +1,169 @@
/*
* Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#define BR_ENABLE_INTRINSICS 1
#include "inner.h"
#if BR_USE_URANDOM
#include <sys/types.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#endif
#if BR_USE_WIN32_RAND
#include <windows.h>
#include <wincrypt.h>
#pragma comment(lib, "advapi32")
#endif
#if BR_RDRAND
BR_TARGETS_X86_UP
BR_TARGET("rdrnd")
static int
seeder_rdrand(const br_prng_class **ctx)
{
unsigned char tmp[32];
size_t u;
for (u = 0; u < sizeof tmp; u += sizeof(uint32_t)) {
int j;
uint32_t x;
/*
* We use the 32-bit intrinsic so that code is compatible
* with both 32-bit and 64-bit architectures.
*
* Intel recommends trying at least 10 times in case of
* failure.
*/
for (j = 0; j < 10; j ++) {
if (_rdrand32_step(&x)) {
goto next_word;
}
}
return 0;
next_word:
br_enc32le(tmp + u, x);
}
(*ctx)->update(ctx, tmp, sizeof tmp);
return 1;
}
BR_TARGETS_X86_DOWN
static int
rdrand_supported(void)
{
/*
* The RDRND support is bit 30 of ECX, as returned by CPUID.
*/
return br_cpuid(0, 0, 0x40000000, 0);
}
#endif
#if BR_USE_URANDOM
static int
seeder_urandom(const br_prng_class **ctx)
{
int f;
f = open("/dev/urandom", O_RDONLY);
if (f >= 0) {
unsigned char tmp[32];
size_t u;
for (u = 0; u < sizeof tmp;) {
ssize_t len;
len = read(f, tmp + u, (sizeof tmp) - u);
if (len < 0) {
if (errno == EINTR) {
continue;
}
break;
}
u += (size_t)len;
}
close(f);
if (u == sizeof tmp) {
(*ctx)->update(ctx, tmp, sizeof tmp);
return 1;
}
}
return 0;
}
#endif
#if BR_USE_WIN32_RAND
static int
seeder_win32(const br_prng_class **ctx)
{
HCRYPTPROV hp;
if (CryptAcquireContext(&hp, 0, 0, PROV_RSA_FULL,
CRYPT_VERIFYCONTEXT | CRYPT_SILENT))
{
BYTE buf[32];
BOOL r;
r = CryptGenRandom(hp, sizeof buf, buf);
CryptReleaseContext(hp, 0);
if (r) {
(*ctx)->update(ctx, buf, sizeof buf);
return 1;
}
}
return 0;
}
#endif
/* see bearssl_rand.h.h */
br_prng_seeder
br_prng_seeder_system(const char **name)
{
#if BR_RDRAND
if (rdrand_supported()) {
if (name != NULL) {
*name = "rdrand";
}
return &seeder_rdrand;
}
#endif
#if BR_USE_URANDOM
if (name != NULL) {
*name = "urandom";
}
return &seeder_urandom;
#elif BR_USE_WIN32_RAND
if (name != NULL) {
*name = "win32";
}
return &seeder_win32;
#endif
if (name != NULL) {
*name = "none";
}
return 0;
}

306
src/settings.c Normal file
View File

@ -0,0 +1,306 @@
/*
* Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "inner.h"
static const br_config_option config[] = {
{ "BR_64",
#if BR_64
1
#else
0
#endif
},
{ "BR_AES_X86NI",
#if BR_AES_X86NI
1
#else
0
#endif
},
{ "BR_amd64",
#if BR_amd64
1
#else
0
#endif
},
{ "BR_ARMEL_CORTEXM_GCC",
#if BR_ARMEL_CORTEXM_GCC
1
#else
0
#endif
},
{ "BR_BE_UNALIGNED",
#if BR_BE_UNALIGNED
1
#else
0
#endif
},
{ "BR_CLANG",
#if BR_CLANG
1
#else
0
#endif
},
{ "BR_CLANG_3_7",
#if BR_CLANG_3_7
1
#else
0
#endif
},
{ "BR_CLANG_3_8",
#if BR_CLANG_3_8
1
#else
0
#endif
},
{ "BR_CT_MUL15",
#if BR_CT_MUL15
1
#else
0
#endif
},
{ "BR_CT_MUL31",
#if BR_CT_MUL31
1
#else
0
#endif
},
{ "BR_GCC",
#if BR_GCC
1
#else
0
#endif
},
{ "BR_GCC_4_4",
#if BR_GCC_4_4
1
#else
0
#endif
},
{ "BR_GCC_4_5",
#if BR_GCC_4_5
1
#else
0
#endif
},
{ "BR_GCC_4_6",
#if BR_GCC_4_6
1
#else
0
#endif
},
{ "BR_GCC_4_7",
#if BR_GCC_4_7
1
#else
0
#endif
},
{ "BR_GCC_4_8",
#if BR_GCC_4_8
1
#else
0
#endif
},
{ "BR_GCC_4_9",
#if BR_GCC_4_9
1
#else
0
#endif
},
{ "BR_GCC_5_0",
#if BR_GCC_5_0
1
#else
0
#endif
},
{ "BR_i386",
#if BR_i386
1
#else
0
#endif
},
{ "BR_INT128",
#if BR_INT128
1
#else
0
#endif
},
{ "BR_LE_UNALIGNED",
#if BR_LE_UNALIGNED
1
#else
0
#endif
},
{ "BR_LOMUL",
#if BR_LOMUL
1
#else
0
#endif
},
{ "BR_MAX_EC_SIZE", BR_MAX_EC_SIZE },
{ "BR_MAX_RSA_SIZE", BR_MAX_RSA_SIZE },
{ "BR_MAX_RSA_FACTOR", BR_MAX_RSA_FACTOR },
{ "BR_MSC",
#if BR_MSC
1
#else
0
#endif
},
{ "BR_MSC_2005",
#if BR_MSC_2005
1
#else
0
#endif
},
{ "BR_MSC_2008",
#if BR_MSC_2008
1
#else
0
#endif
},
{ "BR_MSC_2010",
#if BR_MSC_2010
1
#else
0
#endif
},
{ "BR_MSC_2012",
#if BR_MSC_2012
1
#else
0
#endif
},
{ "BR_MSC_2013",
#if BR_MSC_2013
1
#else
0
#endif
},
{ "BR_MSC_2015",
#if BR_MSC_2015
1
#else
0
#endif
},
{ "BR_POWER8",
#if BR_POWER8
1
#else
0
#endif
},
{ "BR_RDRAND",
#if BR_RDRAND
1
#else
0
#endif
},
{ "BR_SLOW_MUL",
#if BR_SLOW_MUL
1
#else
0
#endif
},
{ "BR_SLOW_MUL15",
#if BR_SLOW_MUL15
1
#else
0
#endif
},
{ "BR_SSE2",
#if BR_SSE2
1
#else
0
#endif
},
{ "BR_UMUL128",
#if BR_UMUL128
1
#else
0
#endif
},
{ "BR_USE_UNIX_TIME",
#if BR_USE_UNIX_TIME
1
#else
0
#endif
},
{ "BR_USE_WIN32_RAND",
#if BR_USE_WIN32_RAND
1
#else
0
#endif
},
{ "BR_USE_WIN32_TIME",
#if BR_USE_WIN32_TIME
1
#else
0
#endif
},
{ NULL, 0 }
};
/* see bearssl.h */
const br_config_option *
br_get_config(void)
{
return config;
}

153
src/ssl/ssl_engine.c
View File

@ -24,6 +24,9 @@
#include "inner.h"
#if 0
/* obsolete */
/*
* If BR_USE_URANDOM is not defined, then try to autodetect its presence
* through compiler macros.
@ -75,6 +78,8 @@
#pragma comment(lib, "advapi32")
#endif
#endif
/* ==================================================================== */
/*
* This part of the file does the low-level record management.
@ -456,65 +461,71 @@ engine_clearbuf(br_ssl_engine_context *rc)
make_ready_out(rc);
}
/*
* Make sure the internal PRNG is initialised (but not necessarily
* seeded properly yet).
*/
static int
rng_init(br_ssl_engine_context *cc)
{
const br_hash_class *h;
if (cc->rng_init_done != 0) {
return 1;
}
/*
* If using TLS-1.2, then SHA-256 or SHA-384 must be present (or
* both); we prefer SHA-256 which is faster for 32-bit systems.
*
* If using TLS-1.0 or 1.1 then SHA-1 must be present.
*
* Though HMAC_DRBG/SHA-1 is, as far as we know, as safe as
* these things can be, we still prefer the SHA-2 functions over
* SHA-1, if only for public relations (known theoretical
* weaknesses of SHA-1 with regards to collisions are mostly
* irrelevant here, but they still make people nervous).
*/
h = br_multihash_getimpl(&cc->mhash, br_sha256_ID);
if (!h) {
h = br_multihash_getimpl(&cc->mhash, br_sha384_ID);
if (!h) {
h = br_multihash_getimpl(&cc->mhash,
br_sha1_ID);
if (!h) {
br_ssl_engine_fail(cc, BR_ERR_BAD_STATE);
return 0;
}
}
}
br_hmac_drbg_init(&cc->rng, h, NULL, 0);
cc->rng_init_done = 1;
return 1;
}
/* see inner.h */
int
br_ssl_engine_init_rand(br_ssl_engine_context *cc)
{
if (!rng_init(cc)) {
return 0;
}
/*
* TODO: use getrandom() on Linux systems, with a fallback to
* opening /dev/urandom if that system call fails.
*
* Use similar OS facilities on other OS (getentropy() on OpenBSD,
* specialized sysctl on NetBSD and FreeBSD...).
* We always try OS/hardware seeding once. If it works, then
* we assume proper seeding. If not, then external entropy must
* have been injected; otherwise, we report an error.
*/
#if BR_USE_URANDOM
if (!cc->rng_os_rand_done) {
int f;
br_prng_seeder sd;
f = open("/dev/urandom", O_RDONLY);
if (f >= 0) {
unsigned char tmp[32];
size_t u;
for (u = 0; u < sizeof tmp;) {
ssize_t len;
len = read(f, tmp + u, (sizeof tmp) - u);
if (len < 0) {
if (errno == EINTR) {
continue;
}
break;
}
u += (size_t)len;
}
close(f);
if (u == sizeof tmp) {
br_ssl_engine_inject_entropy(cc, tmp, u);
cc->rng_os_rand_done = 1;
}
sd = br_prng_seeder_system(NULL);
if (sd != 0 && sd(&cc->rng.vtable)) {
cc->rng_init_done = 2;
}
cc->rng_os_rand_done = 1;
}
#elif BR_USE_WIN32_RAND
if (!cc->rng_os_rand_done) {
HCRYPTPROV hp;
if (CryptAcquireContextW(&hp, 0, 0, PROV_RSA_FULL,
CRYPT_VERIFYCONTEXT | CRYPT_SILENT))
{
BYTE buf[32];
if (CryptGenRandom(hp, sizeof buf, buf)) {
br_ssl_engine_inject_entropy(cc,
buf, sizeof buf);
cc->rng_os_rand_done = 1;
}
CryptReleaseContext(hp, 0);
}
}
#endif
if (!cc->rng_init_done) {
if (cc->rng_init_done < 2) {
br_ssl_engine_fail(cc, BR_ERR_NO_RANDOM);
return 0;
}
@ -526,41 +537,17 @@ void
br_ssl_engine_inject_entropy(br_ssl_engine_context *cc,
const void *data, size_t len)
{
if (cc->rng_init_done) {
br_hmac_drbg_update(&cc->rng, data, len);
} else {
/*
* If using TLS-1.2, then SHA-256 or SHA-384 must be
* present (or both); we prefer SHA-256 which is faster
* for 32-bit systems.
*
* If using TLS-1.0 or 1.1 then SHA-1 must be present.
*
* Though HMAC_DRBG/SHA-1 is, as far as we know, as safe
* as these things can be, we still prefer the SHA-2
* functions over SHA-1, if only for public relations
* (known theoretical weaknesses of SHA-1 with regards to
* collisions are mostly irrelevant here, but they still
* make people nervous).
*/
const br_hash_class *h;
h = br_multihash_getimpl(&cc->mhash, br_sha256_ID);
if (!h) {
h = br_multihash_getimpl(&cc->mhash, br_sha384_ID);
if (!h) {
h = br_multihash_getimpl(&cc->mhash,
br_sha1_ID);
if (!h) {
br_ssl_engine_fail(cc,
BR_ERR_BAD_STATE);
return;
}
}
}
br_hmac_drbg_init(&cc->rng, h, data, len);
cc->rng_init_done = 1;
/*
* Externally provided entropy is assumed to be "good enough"
* (we cannot really test its quality) so if the RNG structure
* could be initialised at all, then we marked the RNG as
* "properly seeded".
*/
if (!rng_init(cc)) {
return;
}
br_hmac_drbg_update(&cc->rng, data, len);
cc->rng_init_done = 2;
}
/*

48
src/symcipher/aes_x86ni.c
View File

@ -22,6 +22,7 @@
* SOFTWARE.
*/
#define BR_ENABLE_INTRINSICS 1
#include "inner.h"
/*
@ -31,22 +32,6 @@
#if BR_AES_X86NI
#if BR_AES_X86NI_GCC
#if BR_AES_X86NI_GCC_OLD
#pragma GCC push_options
#pragma GCC target("sse2,sse4.1,aes,pclmul")
#endif
#include <wmmintrin.h>
#include <cpuid.h>
#if BR_AES_X86NI_GCC_OLD
#pragma GCC pop_options
#endif
#endif
#if BR_AES_X86NI_MSC
#include <intrin.h>
#endif
/* see inner.h */
int
br_aes_x86ni_supported(void)
@ -56,35 +41,10 @@ br_aes_x86ni_supported(void)
* 19 SSE4.1 (used for _mm_insert_epi32(), for AES-CTR)
* 25 AES-NI
*/
#define MASK 0x02080000
#if BR_AES_X86NI_GCC
unsigned eax, ebx, ecx, edx;
if (__get_cpuid(1, &eax, &ebx, &ecx, &edx)) {
return (ecx & MASK) == MASK;
} else {
return 0;
}
#elif BR_AES_X86NI_MSC
int info[4];
__cpuid(info, 1);
return ((uint32_t)info[2] & MASK) == MASK;
#else
return 0;
#endif
#undef MASK
return br_cpuid(0, 0, 0x02080000, 0);
}
/*
* Per-function attributes appear unreliable on old GCC, so we use the
* pragma for all remaining functions in this file.
*/
#if BR_AES_X86NI_GCC_OLD
#pragma GCC target("sse2,sse4.1,aes,pclmul")
#endif
BR_TARGETS_X86_UP
BR_TARGET("sse2,aes")
static inline __m128i
@ -275,4 +235,6 @@ br_aes_x86ni_keysched_dec(unsigned char *skni, const void *key, size_t len)
return num_rounds;
}
BR_TARGETS_X86_DOWN
#endif

28
src/symcipher/aes_x86ni_cbcdec.c
View File

@ -22,20 +22,17 @@
* SOFTWARE.
*/
#define BR_ENABLE_INTRINSICS 1
#include "inner.h"
#if BR_AES_X86NI
#if BR_AES_X86NI_GCC
#if BR_AES_X86NI_GCC_OLD
#pragma GCC target("sse2,sse4.1,aes,pclmul")
#endif
#include <wmmintrin.h>
#endif
#if BR_AES_X86NI_MSC
#include <intrin.h>
#endif
/* see bearssl_block.h */
const br_block_cbcdec_class *
br_aes_x86ni_cbcdec_get_vtable(void)
{
return br_aes_x86ni_supported() ? &br_aes_x86ni_cbcdec_vtable : NULL;
}
/* see bearssl_block.h */
void
@ -46,6 +43,8 @@ br_aes_x86ni_cbcdec_init(br_aes_x86ni_cbcdec_keys *ctx,
ctx->num_rounds = br_aes_x86ni_keysched_dec(ctx->skey.skni, key, len);
}
BR_TARGETS_X86_UP
/* see bearssl_block.h */
BR_TARGET("sse2,aes")
void
@ -199,6 +198,8 @@ br_aes_x86ni_cbcdec_run(const br_aes_x86ni_cbcdec_keys *ctx,
_mm_storeu_si128(iv, ivx);
}
BR_TARGETS_X86_DOWN
/* see bearssl_block.h */
const br_block_cbcdec_class br_aes_x86ni_cbcdec_vtable = {
sizeof(br_aes_x86ni_cbcdec_keys),
@ -210,13 +211,6 @@ const br_block_cbcdec_class br_aes_x86ni_cbcdec_vtable = {
&br_aes_x86ni_cbcdec_run
};
/* see bearssl_block.h */
const br_block_cbcdec_class *
br_aes_x86ni_cbcdec_get_vtable(void)
{
return br_aes_x86ni_supported() ? &br_aes_x86ni_cbcdec_vtable : NULL;
}
#else
/* see bearssl_block.h */

28
src/symcipher/aes_x86ni_cbcenc.c
View File

@ -22,20 +22,17 @@
* SOFTWARE.
*/
#define BR_ENABLE_INTRINSICS 1
#include "inner.h"
#if BR_AES_X86NI
#if BR_AES_X86NI_GCC
#if BR_AES_X86NI_GCC_OLD
#pragma GCC target("sse2,sse4.1,aes,pclmul")
#endif
#include <wmmintrin.h>
#endif
#if BR_AES_X86NI_MSC
#include <intrin.h>
#endif
/* see bearssl_block.h */
const br_block_cbcenc_class *
br_aes_x86ni_cbcenc_get_vtable(void)
{
return br_aes_x86ni_supported() ? &br_aes_x86ni_cbcenc_vtable : NULL;
}
/* see bearssl_block.h */
void
@ -46,6 +43,8 @@ br_aes_x86ni_cbcenc_init(br_aes_x86ni_cbcenc_keys *ctx,
ctx->num_rounds = br_aes_x86ni_keysched_enc(ctx->skey.skni, key, len);
}
BR_TARGETS_X86_UP
/* see bearssl_block.h */
BR_TARGET("sse2,aes")
void
@ -98,6 +97,8 @@ br_aes_x86ni_cbcenc_run(const br_aes_x86ni_cbcenc_keys *ctx,
_mm_storeu_si128(iv, ivx);
}
BR_TARGETS_X86_DOWN
/* see bearssl_block.h */
const br_block_cbcenc_class br_aes_x86ni_cbcenc_vtable = {
sizeof(br_aes_x86ni_cbcenc_keys),
@ -109,13 +110,6 @@ const br_block_cbcenc_class br_aes_x86ni_cbcenc_vtable = {
&br_aes_x86ni_cbcenc_run
};
/* see bearssl_block.h */
const br_block_cbcenc_class *
br_aes_x86ni_cbcenc_get_vtable(void)
{
return br_aes_x86ni_supported() ? &br_aes_x86ni_cbcenc_vtable : NULL;
}
#else
/* see bearssl_block.h */

32
src/symcipher/aes_x86ni_ctr.c
View File

@ -22,24 +22,17 @@
* SOFTWARE.
*/
#define BR_ENABLE_INTRINSICS 1
#include "inner.h"
#if BR_AES_X86NI
#if BR_AES_X86NI_GCC
#if BR_AES_X86NI_GCC_OLD
#pragma GCC target("sse2,sse4.1,aes,pclmul")
#endif
#include <smmintrin.h>
#include <wmmintrin.h>
#define bswap32 __builtin_bswap32
#endif
#if BR_AES_X86NI_MSC
#include <stdlib.h>
#include <intrin.h>
#define bswap32 _byteswap_ulong
#endif
/* see bearssl_block.h */
const br_block_ctr_class *
br_aes_x86ni_ctr_get_vtable(void)
{
return br_aes_x86ni_supported() ? &br_aes_x86ni_ctr_vtable : NULL;
}
/* see bearssl_block.h */
void
@ -50,6 +43,8 @@ br_aes_x86ni_ctr_init(br_aes_x86ni_ctr_keys *ctx,
ctx->num_rounds = br_aes_x86ni_keysched_enc(ctx->skey.skni, key, len);
}
BR_TARGETS_X86_UP
/* see bearssl_block.h */
BR_TARGET("sse2,sse4.1,aes")
uint32_t
@ -190,6 +185,8 @@ br_aes_x86ni_ctr_run(const br_aes_x86ni_ctr_keys *ctx,
return cc;
}
BR_TARGETS_X86_DOWN
/* see bearssl_block.h */
const br_block_ctr_class br_aes_x86ni_ctr_vtable = {
sizeof(br_aes_x86ni_ctr_keys),
@ -202,13 +199,6 @@ const br_block_ctr_class br_aes_x86ni_ctr_vtable = {
&br_aes_x86ni_ctr_run
};
/* see bearssl_block.h */
const br_block_ctr_class *
br_aes_x86ni_ctr_get_vtable(void)
{
return br_aes_x86ni_supported() ? &br_aes_x86ni_ctr_vtable : NULL;
}
#else
/* see bearssl_block.h */

78
src/symcipher/chacha20_sse2.c
View File

@ -22,22 +22,43 @@
* SOFTWARE.
*/
#define BR_ENABLE_INTRINSICS 1
#include "inner.h"
#if BR_SSE2
/*
* This file contains a ChaCha20 implementation that leverages SSE2
* opcodes for better performance.
*/
#if BR_SSE2
/* see bearssl_block.h */
br_chacha20_run
br_chacha20_sse2_get(void)
{
/*
* If using 64-bit mode, then SSE2 opcodes should be automatically
* available, since they are part of the ABI.
*
* In 32-bit mode, we use CPUID to detect the SSE2 feature.
*/
#if BR_SSE2_GCC
#include <emmintrin.h>
#include <cpuid.h>
#endif
#if BR_SSE2_MSC
#include <intrin.h>
#if BR_amd64
return &br_chacha20_sse2_run;
#else
/*
* SSE2 support is indicated by bit 26 in EDX.
*/
if (br_cpuid(0, 0, 0, 0x04000000)) {
return &br_chacha20_sse2_run;
} else {
return 0;
}
#endif
}
BR_TARGETS_X86_UP
/* see bearssl_block.h */
BR_TARGET("sse2")
@ -202,48 +223,7 @@ br_chacha20_sse2_run(const void *key,
| ((uint32_t)_mm_extract_epi16(iw, 1) << 16);
}
/* see bearssl_block.h */
br_chacha20_run
br_chacha20_sse2_get(void)
{
/*
* If using 64-bit mode, then SSE2 opcodes should be automatically
* available, since they are part of the ABI.
*
* In 32-bit mode, we use CPUID to detect the SSE2 feature.
*/
#if __x86_64__ || _M_X64
return &br_chacha20_sse2_run;
#else
/*
* SSE2 support is indicated by bit 26 in EDX.
*/
#define MASK 0x04000000
#if BR_SSE2_GCC
unsigned eax, ebx, ecx, edx;
if (__get_cpuid(1, &eax, &ebx, &ecx, &edx)) {
if ((edx & MASK) == MASK) {
return &br_chacha20_sse2_run;
}
}
#elif BR_SSE2_MSC
int info[4];
__cpuid(info, 1);
if (((uint32_t)info[3] & MASK) == MASK) {
return &br_chacha20_sse2_run;
}
#endif
return 0;
#endif
}
BR_TARGETS_X86_DOWN
#else

14
src/x509/x509_minimal.c
View File

@ -200,20 +200,6 @@ void br_x509_minimal_run(void *t0ctx);
* then validation is reported as failed.
*/
#ifndef BR_USE_UNIX_TIME
#if defined __unix__ || defined __linux__ \
|| defined _POSIX_SOURCE || defined _POSIX_C_SOURCE \
|| (defined __APPLE__ && defined __MACH__)
#define BR_USE_UNIX_TIME 1
#endif
#endif
#ifndef BR_USE_WIN32_TIME
#if defined _WIN32 || defined _WIN64
#define BR_USE_WIN32_TIME 1
#endif
#endif
#if BR_USE_UNIX_TIME
#include <time.h>
#endif

14
src/x509/x509_minimal.t0
View File

@ -149,20 +149,6 @@ preamble {
* then validation is reported as failed.
*/
#ifndef BR_USE_UNIX_TIME
#if defined __unix__ || defined __linux__ \
|| defined _POSIX_SOURCE || defined _POSIX_C_SOURCE \
|| (defined __APPLE__ && defined __MACH__)
#define BR_USE_UNIX_TIME 1
#endif
#endif
#ifndef BR_USE_WIN32_TIME
#if defined _WIN32 || defined _WIN64
#define BR_USE_WIN32_TIME 1
#endif
#endif
#if BR_USE_UNIX_TIME
#include <time.h>
#endif

5
tools/brssl.c
View File

@ -51,6 +51,7 @@ usage(void)
fprintf(stderr, " ta decode trust anchors\n");
fprintf(stderr, " chain make C code for certificate chains\n");
fprintf(stderr, " twrch run the Twrch protocol\n");
fprintf(stderr, " impl report on implementations\n");
}
int
@ -108,6 +109,10 @@ main(int argc, char *argv[])
} else {
return ret;
}
} else if (eqstr(cmd, "impl")) {
if (do_impl(argc - 2, argv + 2) < 0) {
return EXIT_FAILURE;
}
} else {
fprintf(stderr, "unknown command: '%s'\n", cmd);
usage();

6
tools/brssl.h
View File

@ -546,4 +546,10 @@ int do_chain(int argc, char *argv[]);
*/
int do_twrch(int argc, char *argv[]);
/*
* Do the "impl" command. Returned value is 0 on success, -1 on failure.
* Command-line arguments start _after_ the command name.
*/
int do_impl(int argc, char *argv[]);
#endif

48
tools/impl.c Normal file
View File

@ -0,0 +1,48 @@
/*
* Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <errno.h>
#include "brssl.h"
#include "bearssl.h"
/* see brssl.h */
int
do_impl(int argc, char *argv[])
{
const br_config_option *opt;
(void)argc;
(void)argv;
for (opt = br_get_config(); opt->name != NULL; opt ++) {
printf("%-25s %8ld\n", opt->name, opt->value);
}
return 0;
}

4
tools/sslio.c
View File

@ -266,7 +266,11 @@ run_ssl_engine(br_ssl_engine_context *cc, unsigned long fd, unsigned flags)
* Print algorithm details.
*/
if (verbose) {
const char *rngname;
fprintf(stderr, "Algorithms:\n");
br_prng_seeder_system(&rngname);
fprintf(stderr, " RNG: %s\n", rngname);
if (cc->iaes_cbcenc != 0) {
fprintf(stderr, " AES/CBC (enc): %s\n",
get_algo_name(cc->iaes_cbcenc, 0));